Postfix & SASL Authentication

Greg Groth ggroth at gregs-garage.com
Tue Aug 8 14:52:24 UTC 2006 

On 8/8/2006 9:20 AM, Gerard Seibert wrote:
> FreeBSD 6.1 STABLE
> 
> I have SASL and Postfix installed and for the most part they seem to
> work all right together. However, there is one small problem.
> 
> When attempting to send a message from one of the PC's on the network,
> actually any PC on the network except for the one with Postfix installed
> on it, this error message is inserted into the maillog file.
> 
> Aug  8 10:11:32 scorpio postfix/smtpd[1310]: connect from boss.seibercom.net[192.168.0.4]
> Aug  8 10:11:32 scorpio postfix/smtpd[1310]: warning: SASL authentication failure: no user in db
> Aug  8 10:11:32 scorpio postfix/smtpd[1310]: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, sasl_username=gerard at seibercom.net
> 
> All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning.
> 
> 
Which version of SASL?  v1 or v2?

The following is based on ym experience with v2, and I don't know if it 
applies to v1 or not.

As far as the message in you log file, it's attempting to authenticate, 
but it's not connecting to the user database to verify the user.  More 
than likely it's allowing you to send mail from the local server because 
you have Postfix configured to allow it to relay mail from localhost, 
and that this is allowing you to send the email even though 
authentication is failing.

To determine which authentication methods Postfix will accept, telnet to 
localhost on port 25 and issue a EHLO:

mail# telnet localhost 25
Trying ::1...
Connected to localhost.domain.com.
Escape character is '^]'.
220 mail.domain.com ESMTP Postfix

EHLO localhost

250-mail.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

In this instance, the AUTH line dictates which authentication mechanisms 
Postfix will accept.  In this case: NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 
CRAM-MD5

Check your /usr/local/lib/sasl2/smtpd.conf file and make sure that you 
have the correct auth mechanism listed.  For plain text login that's 
verified against your existing users, your smtpd.conf file would read as 
follows:

pwcheck_method: saslauthd

This will verify against your existing user accounts.  There are other 
methods, such as pwcheck_method:  sasldb, that will verify against 
SASL's own password database, which I've never used.

Make sure that you have saslauthd running (which it appears you do).

Issue the following:

# /usr/local/sbin/testsaslauthd -u username -p password
0: OK "Success."

If saslauthd is operating correctly, you'll recieve the OK "Success." 
If not, your problem is with saslauthd.

If your AUTH line does not list the right AUTH mechanism, the problem is 
with Postfix.  For instance, if you're trying to use SMTP-AUTH from a 
client on your network, and have pwcheck_method: saslauthd defined in 
your smtpd.conf file, you have to have PLAIN LOGIN appear in the AUTH 
line when telnetting.

Best regards,
Greg Groth

More information about the freebsd-questions mailing list